Securing Domino Protocols against Brute Force Attacks

Since years i think that the Internet Lockout Feature of IBM Domino is
not enough. The function is documented here:
IBM
Domino Administrator Help

Cite of this document:

There are some usage restrictions for Internet password lockout: You can
only use Internet password lockout with Web access. Other Internet
protocols and services, such as LDAP, POP, IMAP, DIIOP, IBM® Lotus®
Quickr®, and IBM Sametime® are not currently supported. However,
Internet password lockout can be used for Web access if the password
that is used for authentication is stored on an LDAP server

So documentation tells us, that only HTTP can be secured through
inetlockout.nsf and over years the documentation was right. So protocols
like LDAP, SMTP or POP3 are prone to dictionary attacks.

Last week at a customer site i can’t login into IBM Connections, even
with the right spelled password. After checking the Domino server i
found that the user has an entry in the inetlockout.nsf database. That
was the first time that i had this behavior, Domino server was version
8.5.3.

Today i had some spare time and checked the other protocols of my demo
server for my AdminCamp sessions next week.

So i secured SMTP, POP3 and IMAP for authentication and started to use
the wrong password for login and i tried to test wrong passwords on LDAP
authenticated Sametime and Connections. What should i say? I was
lockedout through all protocols! Martin
Leyrer points me to
following
technote, where the feature is mentioned to secure SMTP against brute
force. That’s the only document i can find where the extended
inetlockout is mentioned or documented.

I don’t know how many of my customers or friends asks for this feature,
but we talked often about this. That’s a feature we asked long time and
which is really important for all deployments of Domino with internet
access. Now all important protocols are save against brute force or
dictionary attacks.

So great news, but the documentation must be updated and the feature
must be officially announced.

Why?

It is a really important security feature

If you use already inetlockout for http and you update your Domino
server, the feature is active without any additional work! Good for
security, but your helpdesk team could be a little bit surprised.

Which Domino version first had this code icluded?

When you want to know how to deploy the lockout feature, please read
documentation and this
technote.

Update:

I got a mail that with 8.5.3 FP6 only SMTP and LDAP are working with
inetlockout. I can’t test this in the moment, but with 9.0.1 pop3 and
imap are secured too. Need to test this back with lower version and
diiop.

nginx

You can use nginx as a reverse
proxy for mail protocols. So
this is a way to add SHA256 enabled certifiers in front of your domino
servers.